Feedback from sanctions thematic questionnaire and screening systems examinations

1 Introduction

In the first quarter of 2022, we asked 65 supervised persons to complete a thematic questionnaire in relation to targeted financial sanctions. The questionnaire sought to gather information concerning:

how those businesses implemented targeted financial sanctions

how impacted customers, transactions and activity were identified

the type and nature of screening undertaken

tools used

systems and controls (including policies and procedures) established to identify and report instances where there may be a connection to a designated person or entity.

In Jersey, all legal and natural persons located in or operating in or from within Jersey or incorporated or constituted under the Laws of Jersey, are required to comply with obligations set out in the Sanctions and Asset-Freezing (Jersey) Law 2019 and the Sanctions and Asset Freezing (Implementation of External Sanctions) (Jersey) Order 2021 (together the Targeted Financial Sanctions Measures). The Targeted Financial Sanctions Measures also set out sanctions compliance reporting obligations to be made to the Minister for External Relations and Financial Services (MERFS) as soon as practicable.

In addition, supervised persons are required by the Order and the AML/CFT/CPF CoP to establish appropriate and consistent systems and controls (including policies and procedures), which amongst other things enable them to identify and scrutinise notable transactions and activity, including:

business relationships or transactions that are with a person connected with a country or territory in relation to which the FATF has called for the application of enhanced CDD measures

business relationships or transactions that are with a person:

  1. subject to measures under law applicable in Jersey for the prevention and detection of money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction
  2. connected with an organisation that is subject to such measures
  3. connected with a country or territory that is subject to such measures.

Supervised persons must check that such systems and controls are operating effectively, are being complied with and that prompt action is being taken to remedy any deficiencies identified.

Supervised persons are required to train employees in the recognition of notable or unusual transactions and activity, and must make employees aware of the supervised person’s systems and controls, as well as key legislation in place to prevent and detect financial crime, including the Targeted Financial Sanctions Measures.

Following the review of the questionnaires, in August 2022, the JFSC announced it would be conducting specialised testing as part of a sanctions screening systems thematic examination.

The aim of the thematic examination was to enhance our understanding of screening solutions utilised by supervised persons. The JFSC appointed AML Analytics Limited (AMLA) to provide analysis and stress testing of screening solutions, covering sanctions and Politically Exposed Persons (PEPs) using its analysis tool, to benchmark the results, and to assist the JFSC with the preparation and delivery of feedback following the conclusion of the testing.

2 Overview of examination activity – Sanctions Questionnaire

The sample of 65 supervised persons that completed the thematic questionnaire included regulated businesses from the following sectors: banking, fund services business (FSB), investment business (IB) and trust company business (TCB). The sample also included nine Schedule 2 businesses selected from the legal profession.

3 Findings and conclusions

The responses from the thematic questionnaire have highlighted several areas where information provided by supervised persons indicates there may be deficiencies in systems and controls. This highlights that the supervised persons concerned may be exposed to a heightened risk that they may be unable to evidence full compliance with Targeted Financial Sanctions Measures or other statutory or regulatory requirements.

The responses imply that some supervised persons may need to make comprehensive changes to systems and controls (including their policies and procedures) to fully comply with the regulatory framework.

We contacted certain supervised persons who completed the thematic questionnaire to better understand the information they provided and the status of systems and controls concerning the Targeted Financial Sanctions Measures and the prevention, detection, and reporting of financial crime.  This could lead to future supervisory activity, which may include targeted onsite examinations.

The JFSC is concerned that the responses to this thematic questionnaire may also represent an indicator of heightened risks across industry connected with supervised persons’ systems and controls established to ensure compliance with Targeted Financial Sanctions Measures and other statutory and regulatory requirements to prevent, detect and report financial crime.

We therefore expect boards and senior management of supervised persons to consider their own arrangements against the matters identified by the questionnaire responses, set out in the following section of this feedback paper.

3.1 Key themes

3.1.1   Business Risk Assessment

The AML/CFT/CPF CoP require the board of supervised persons to conduct a Business Risk Assessment (BRA), which considers the supervised person’s risk appetite and its exposure to financial crime risks such as money laundering, targeted financial sanctions, terrorist financing and proliferation financing (ML, TFS, TF & PF) ‘in the round’. Based on its BRA, the board of the supervised person must establish a formal strategy to counter financial crime.

Five of the 65 businesses highlighted that they had not considered TFS as a risk factor in their BRA and one supervised person stated that it had not carried out and documented a BRA.

3.1.2   BRA – Best Practice

Most supervised persons surveyed indicated that their BRA contemplated the impact of TFS, TF & PF. 89% of respondents indicated that analysis of the impact of TFS, TF & PF had been carried out to varying degrees in respect of:

geographical factor

customer screening arrangements

customer, product and activity profiles

services provided

complexity and volume of transactions

risk appetite

delivery channels.

3.1.3   Policies and Procedures

Supervised persons are required to establish and maintain systems and controls that enable the supervised person to, amongst other things:

take action in response to highlighting countries and territories in relation to which the FATF has called for the application of countermeasures or enhanced CDD measures

take action to comply with Targeted Financial Sanctions Measures and the directions law

include steps to be taken once a potential match has been confirmed to ensure that prompt action is taken to comply with the Targeted Financial Sanctions Measures and other relevant statutory and regulatory requirements.

Supervised persons must check their systems and controls (including policies and procedures) are operating effectively and are being complied with.

Supervised persons operating in jurisdictions other than Jersey must also take account of any local requirements in those jurisdictions, which may be different to those in force in Jersey.

Of the 65 supervised persons that responded to the thematic questionnaire:

28 indicated that they had not established policies and procedures required by the AML/CFT/CPF CoP to take action to comply with Targeted Financial Sanctions Measures and other relevant statutory and regulatory requirements. This included action to be taken for reporting sanctions breaches to MERFS or applying for asset-freeze licenses.

Six highlighted that their policies and procedures were not up to date.

18 indicated that their policies and procedures did not take account of relevant local requirements in any other jurisdiction in which they were operating.

Seven implied that they had not established policies and procedures that were designed to prevent their businesses from being used for proliferation financing and one indicated that policies and procedures had not been established to prevent terrorist financing.

One business indicated that their payment screening procedures included a monetary limit for sanctions or other screening matches. The Targeted Financial Sanctions Measures do not include any monetary de minimis.

3.1.4   Policies and procedures – Best Practice

Almost all the businesses surveyed (98%) had policies and procedures in place to investigate potential sanctions matches. This included policies and procedures for applying enhanced due diligence measures where a potential match was identified.

3.1.5   Screening

Section 6 of the Handbook sets out principles and detailed requirements relating to ongoing monitoring and scrutiny of transactions and activity. The Handbook also provides guidance in this section on ways in which supervised persons may evidence they have complied with those requirements. For example, Section 6.3 of the Handbook includes guidance and information relating to best practices concerning the use of automated monitoring methods.

There were a range of matters highlighted by the responses to the thematic questionnaire connected to arrangements for screening customers, beneficial owners and/or controllers of customers, third parties for whom the customer is acting and third parties acting on behalf of customers.

Of the supervised persons that responded to the thematic questionnaire:

most (70%) indicated that they used automated screening tools or a mix of automated or manual screening arrangements. However, only 51% of the 65 businesses routinely carried out screening of customers and other parties on a daily basis

20 indicated limitations had been identified in screening tools used

19 highlighted they did not reconcile data feeds to ensure all data required to be screened was captured

10 did not have processes in place to review data used in screening to ensure data integrity

25 stated that monitoring was not conducted on discounted screening matches and 22 indicated that quality assurance was not undertaken on the output of screening activities

six confirmed that they did not screen against other jurisdictions’ sanctions lists

over a third (36%) did not provide reporting concerning screening activity to their board or senior management

seven confirmed they had not registered to receive notification of Sanctions Notices from the MERFS concerning TFS

seven indicated that they did not test modifications to their screening tool prior to those modifications going into production and a further 13 responses implied that such modifications were not subject to formal approval by senior management

four respondents, out of the 31 supervised persons who indicated that they rely on a third-party service provider or group function outside of Jersey to carry out elements of their screening processes, had not notified the JFSC of the outsourcing arrangement.

3.1.6   Screening – Best Practice

Most of the supervised persons surveyed (90%) indicated that they screened against other jurisdictions’ lists and 80% responded to confirm they reviewed data used in screening to ensure data integrity. Reconciliation of data used in screening to ensure all records that needed to be routinely screened were captured, was carried out by two thirds of respondents.

3.1.7   Employee awareness and training

Section 9.5 of the Handbook sets out that a supervised person must provide employees with adequate training at appropriate frequencies and goes on to provide guidance that a supervised person may demonstrate that it has provided adequate training where, amongst other things, it addresses the supervised person’s and the employee’s obligations under the directions law and Targeted Financial Sanctions Measures.

Of the 65 supervised persons that responded to the thematic questionnaire:

13 confirmed specific training was not provided to those with responsibility for adherence to sanctions regimes

33 indicated training on compliance with the Targeted Financial Sanctions Measures was not tailored to specific roles within their organisation

19 did not test staff on their understanding of the Targeted Financial Sanctions Measures following training

two confirmed that training was not given to staff on sanctions regimes and on the sanctions compliance responsibilities of the employee and the supervised person.

3.1.8   Employee awareness and training – Best Practice

Nearly 80% of supervised persons that responded to the thematic questionnaire indicated that they provided training relating to targeted financial sanctions to employees. Two thirds of respondents confirmed they took steps to measure the employee’s understanding of such training.

4 Overview of examination activity – Sanctions Screening Systems 

The aim of the examination was to test client and transaction screening tools used by supervised persons to understand their:

-   effectiveness: the ability to create a match against the name of a designated person or a PEP[1]

-   efficiency: the number of alerts generated by the screening tool per name screened.

Three key questions were considered:

  1. Does the screening tool generate an alert when an ‘exact’ or ‘unmanipulated’ sanctioned or PEP name is screened?
  2. Are ‘fuzzy matching’ rules, configuration and threshold settings effective, such that the screening tool generates an alert when a ‘manipulated’ sanctioned or PEP name is screened?
  3. Is the level of false positives generated by the screening tool manageable?

The names utilised for testing included names taken from applicable TF and PF related sanctions designations lists, the CIA World Factbook PEP List as well as a small number of non-sanctioned and non-PEP names to assist with the measurement of efficiency.

The testing was limited in scope, as per the above, and therefore did not extend to governance arrangements, policies and procedures, data validation, assessment of screening alerts or reporting to the MERFS.

The sample of 23 supervised persons who participated in the thematic examination comprised of regulated businesses from the following sectors:

5 Findings and conclusions

Of the 23 supervised persons that participated in the sanctions screening systems thematic examination, four businesses had one finding each and 19 supervised persons had no findings. The JFSC however provided a number of supervised persons with observations which are outlined below.

Following the examination, the JFSC has concluded that in the main supervised persons are effectively screening their client bases, including the use of ‘fuzzy matching’ functionality, against the various lists to enable them to identify potential designated persons or entities and PEPs. Supervised persons understand their screening tool(s) and have in place appropriate oversight of the effectiveness and efficiency of their screening tools and related controls.

As noted previously, Section 6 of the Handbook sets out the principles and detailed requirements relating to ongoing monitoring, scrutiny of transactions and activity.

5.1 Findings

All four findings were in respect of the supervised persons’ inability to demonstrate they had adequately tested their screening tool(s) to ensure they were operating effectively.

in one case the results of testing showed that the supervised person’s customer screening tool did not generate alerts against designated persons that it expected would be generated.  Upon investigation it was established that the version of the screening tool it was using during the testing period, was not the most recent version, and upgrading would address the issue identified

the customer screening tools utilised by one supervised person returned below expectation effectiveness results that were caused by it not utilising ‘fuzzy matching’ functionality in their screening

in two cases, there was a disparity in effectiveness of different customer screening tools used, i.e. one tool produced an alert for a name but another tool used by the supervised person did not.  In both cases it was established that the less effective screening tool used during the testing was not the most up to date version, and upgrading would address the issue identified.

5.2 Observations

Whilst there were only four supervised persons that had findings from the examination, the JFSC provided observations to other supervised persons that included recommending:

that a review of the number of alerts per hit be undertaken and if the number is not considered acceptable to consider the ‘fuzzy matching’ rules, configuration and threshold settings of the screening tool

that consideration be given to the level of resources currently required to review alerts in a timely manner

that consideration be given to whether the effectiveness and efficiency results continue to be in line with the supervised person’s risk appetite

that policies and procedures are periodically reviewed and updated to ensure they remain appropriate and in line with applicable legislation

a regular assessment of the screening parameters be undertaken

the Board/Senior Management regularly evaluate the effectiveness and efficiency of the screening tools in place.

5.3 Best Practice

Supervised persons can minimise risks associated with their screening tools by:

ensuring screening tools are tailored and calibrated to their business and not simply implementing an ‘off the shelf’ or group solution without understanding whether it is fit for purpose in Jersey

understanding the strengths and limitations of the screening methodologies used, e.g. manual versus automated tools

understanding and assessing the limitations and risks of utilising ‘exact match’ only screening

having in place appropriate arrangements to identify which sanctions list should be screened against and when those lists change

conducting regular testing of their screening tool(s) to evaluate the effectiveness and efficiency;

periodically recalibrating the ‘fuzzy matching’ rules, configuration and threshold settings of the screening tool to improve effectiveness and efficiency

monitoring the level of alerts, including the proportion of ‘false positives’, produced by their screening tools to ensure numbers remain manageable.

Guidance to assist supervised persons in meeting their legal obligations under sanctions legislation can be found on our website:

Sanctions — Jersey Financial Services Commission (jerseyfsc.org).

6 Recent amendments to the Handbook

Supervised persons are reminded the Handbook was updated on 1 July 2023 and therefore they should take steps to confirm they have in place arrangements to ensure compliance with the revised statutory and regulatory requirements.

Of particular relevance to this examination are the following new AML/CFT/CPF CoP specific to sanctions screening set out at paragraph 6.2.2:

A supervised person must undertake sanctions screening for all business relationships and one-off transactions. This screening must include the customer, any beneficial owners and controllers and other associated parties. The screening must be carried out at the time of take-on, periodic review and when there is a trigger event, i.e., amendments made to the sanctions designations lists.

A supervised person must sign up to receive sanctions e-mail alerts from the JFSC and sanctions notices from the Government of Jersey, which are publicly available on the Jersey Gazette.

A supervised person must ensure their sanctions monitoring arrangements include an assessment of the effectiveness of their sanctions controls and their compliance with the Jersey sanctions regime.

7 Next Steps

We expect boards and senior management of supervised persons to consider the findings highlighted in this paper and the content against their own arrangements to ensure their business is complying with all relevant statutory and regulatory requirements.

We also expect supervised persons to regularly check the efficiency and effectiveness of the screening tool(s) in place, making sure it remains relevant to its business and external risk factors.

Where supervised persons identify any deficiencies in systems and controls (including policies and procedures), we expect them to:

prepare a remediation plan and discuss this with their supervisor

consider the notification requirements under the AML/CFT/CPF CoP within Section 2.3 of the Handbook and Principle 6 of the relevant Codes of Practice

remedy any identified matters in the manner set out in the documented remediation plan agreed with their supervisor

consider what assurance activities may provide comfort to the board and senior management that deficiencies identified have been addressed effectively.

In future engagements with the JFSC, supervised persons may be asked to evidence steps taken to address identified deficiencies in their control environment.

Where this action is not considered to be adequate or where we identify deficiencies of a similar nature to those highlighted in our feedback papers, we will consider our future supervisory strategy and where appropriate, regulatory action.

8 Glossary

AML/CFT CoP

The AML/CFT/CPF Codes of Practice set out in the Handbook

AMLA

AML Analytics Limited

Board

Board of Directors, the Board function described in Section 2.1 of the Handbook

CDD

Customer due diligence, which has the meaning set out in the Order and the Handbook

CIA World Factbook PEP List

The Central Intelligence Agency online directory of World Leaders and Cabinet Members of Foreign Governments.

Designated person

A designated person is an individual, entity or ship, listed under legislation as being subject to sanctions.

Directions law

Money Laundering and Weapons Development (Directions) (Jersey) Law 2012

False positive

An alert generated by the screening system that in reality the scanned name is not the same sanctioned party.

FATF

Financial Action Task Force

Financial Crime

For the purposes of this report ‘financial crime’ means money laundering, the financing of terrorism and the financing of the proliferation of weapons of mass destruction (proliferation financing)

FSB

Fund services business

Fuzzy matching

Relates to the rules in a screening tool that result in alerts being created for non-exact matches.

 

Guidance

 

Guidance provided to relevant persons in the Handbook

Handbook

The Handbook for the Prevention and Detection of Money Laundering, the Countering of Terrorist Financing and the Countering of Proliferation Financing

IB

Investment business

 

JFSC

 

Jersey Financial Services Commission

Manipulated name

A name that has been changed.

MERFS

Minister for External Relations and Financial Services

ML, TFS, TF & PF

Money laundering, Targeted Financial Sanctions, terrorist financing and proliferation financing

PEPs

Politically Exposed Persons

 

Order

 

The Money Laundering (Jersey) Order 2008

Regulatory laws

 

Collectively the:

Banking Business (Jersey) Law 1991;

Collective Investment Funds (Jersey) Law 1988;

Financial Services (Jersey) Law 1998; and

Insurance Business (Jersey) Law 1996

 

Regulatory requirements

 

The AML/CFT/CPF Codes of Practice contained within the Handbook

Schedule 2

A business described in Part 3 of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999

Supervised person

For the purposes of this report, a supervised person is:

registered with the JFSC under one of the regulatory laws; and or

carrying on a business described in Part 3 of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999 and is referred to as a Schedule 2 business.

TCB

Trust company business

Unmanipulated name

A name that is used exactly as it appears on a list.

[1] A small percentage of the test names were PEPs that were not necessarily also designated persons.